CVE-2026-42074
Analyzed Analyzed - Analysis Complete
Code Execution via Sandbox Bypass in OpenClaude

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42074
EUVD
EUVD-2026-33972
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitlawb openclaude to 0.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42074 is a critical sandbox bypass vulnerability in the OpenClaude project, an open-source coding-agent CLI. The issue arises because the parameter dangerouslyDisableSandbox is exposed in the BashTool input schema, allowing an untrusted Large Language Model (LLM) to set it to true in any tool_use response.

With the default setting allowUnsandboxedCommands set to true, this enables the model to escape the sandbox and execute arbitrary commands directly on the host system, leading to full host-level code execution.

The vulnerability is due to the shouldUseSandbox() function incorrectly disabling the sandbox when the model sets dangerouslyDisableSandbox to true and unsandboxed commands are allowed by default. This contradicts the project's threat model, which treats the model as an untrusted principal.

Proof-of-concept exploits include executing destructive commands like removing all files or exfiltrating sensitive data such as SSH keys.

Impact Analysis

This vulnerability allows an attacker controlling the LLM to bypass sandbox restrictions and execute arbitrary commands on the host system.

  • Full host-level code execution, which can lead to system compromise.
  • Potential exfiltration of sensitive files, such as private SSH keys.
  • Execution of destructive commands, including deleting critical files or data.

Overall, this can result in complete loss of system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability can be detected by checking if the OpenClaude instance is running a version prior to 0.5.1 where the dangerouslyDisableSandbox parameter is exposed and if the configuration allows unsandboxed commands (allowUnsandboxedCommands is true).

Detection can involve monitoring for suspicious tool_use responses from the LLM that include the dangerouslyDisableSandbox parameter set to true.

Additionally, you can look for evidence of sandbox bypass attempts such as execution of arbitrary commands outside the sandbox, for example commands that access sensitive files or open reverse shells.

Specific commands to detect exploitation attempts might include searching logs or monitoring processes for commands like:

  • cat ~/.ssh/id_rsa
  • rm -rf /
  • Commands that open reverse shells or unexpected network connections.

Since the vulnerability is related to the BashTool input schema, inspecting the input payloads or logs for the presence of dangerouslyDisableSandbox: true in tool_use responses can help detect attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaude to version 0.5.1 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, you should set the configuration option allowUnsandboxedCommands to false to prevent the model from disabling the sandbox.

Additionally, review and remove any exposure of the dangerouslyDisableSandbox parameter from the BashTool and PowerShell tool schemas to ensure the model cannot control sandbox overrides.

Ensure that any sandbox override requires explicit trusted internal approval, not controlled by the model.

Monitoring and auditing tool_use responses for suspicious parameters or commands is also recommended as part of ongoing mitigation.

Compliance Impact

The vulnerability allows an untrusted model to execute arbitrary commands on the host system by bypassing the sandbox, potentially leading to unauthorized access to sensitive data.

Such unauthorized access and execution could result in data breaches or exposure of confidential information, which would negatively impact compliance with data protection standards and regulations like GDPR and HIPAA.

By enabling full host-level code execution, the vulnerability increases the risk of compromising personal or protected health information, thereby violating regulatory requirements for data confidentiality and integrity.

Mitigation steps, such as removing the dangerouslyDisableSandbox parameter from model control and requiring explicit trusted approval for sandbox bypass, help restore compliance by preventing unauthorized command execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart